Icy Phoenix

Maybe I didn't explain properly.

I'm referring to this part:

mort wrote: [View Post]

I think that this should do it:

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

elseif ($tag === 'web' && (($userdata['user_level'] == ADMIN) || ($userdata['user_level'] == MOD)))
{
$html = '<iframe src="' . $content . '" width="' . $width . '" height="' . $height . '" marginwidth="0" marginheight="0" frameborder="0" scrolling="yes"></iframe>';
}

Your code checks the permission with $userdata, but $userdata in bbcode.php just contains current user permission, and bbcode.php is not checking if the content is going to be added to DB or not... it just checks the level of the user viewing the parsed text.

Maybe an example will help.

If ME as an admin I add the [web]URL[/web] code, the code will be processed and shown to myself... but when a normal user try to display the post, when bbcode parses the text it checks against userdata, that means that the user won't see the content because it is not an admin... I don't know if you get my point.

On the opposite, if a normal user post the [web]URL[/web] tags, then only admins will be able to display that, not normal users... this is still leading to security issues, because any user can still inject HTML code and attack any admin or moderator who are able to display the code properly.

Instead of working on bbcode.php, you should instead work at a posting level, checking then which is the level of the user posting such a content, and remove or sanitize the unwanted tags at that stage... because it's only at that point that you can tell if the user is allowed to post such kind of content or not...

If you have a chance to test latest dev version of Icy Phoenix, there is a new option in ACP where you can allow administrators to add HTML to posts, and I'm confident that it is quite safe, because it checks the permissions when posting, and not when viewing. This just means that if a user has admin rights, can post HTML and it will be added to DB as HTML code... if the user is not an admin, any new post or post edit (because you have also to deal with post editing!) will be sanitized against any HTML markup and it will be shown as it is just text and not HTML.

Sorry, but it's tough for me trying to explain this, because it's not an easy matter. :sad:

Anyway if it is still not clear (or if I misunderstood your post), I can try to explain again.

I understand what you're saying and I knew that there was still a problem with permissions, but I was so tired last night I couldn't think back through it and rationalise it.

:(

@ batman

There you go my friend - read the changes here from the "original" script to make the height and width work with vars if required - Use it at your own risk - Maybe a dedicated forum with only Admin / Mod permissions to post iframes etc. Or wait until the release of the next version of Icy Phoenix.

I also think that this thread can be marked solved. ;)

But a least it got a workout! :mryellow:

@ MG,

I will have a look at the dev version - only if I don't have to go and get it from SVN. Sooooooo, if you have a .zip available somewhere and hit me with a link to download it - That'd be nice. :mricy:

mort wrote: [View Post]

I will have a look at the dev version - only if I don't have to go and get it from SVN. Sooooooo, if you have a .zip available somewhere and hit me with a link to download it - That'd be nice. :mricy:

Give me a second, I will send you last SVN

here we go @mort


http://icy-mods.com/icy_new/icy_nuevo.zip

in english and spanish

gimme a shout when you got it, to delet the link

Mighty Gorgon wrote: [View Post]

Hi all,
Honestly I would not add such a BBCode unless in some way restricted to administrators or people you are trusting blindly.

The reason is that you can add almost anythin in an IFRAME even evil scripts which could harm your visitors... I wouldn't risk that honestly.

In dev version of Icy Phoenix it should be easier get what you need because I have coded (I hope properly, but not fully tested so far) an option to allow HTML to administrators... anyway, you are asking something for the old version.

Before going on in helping you I would like you to confirm that you are aware of the risks you are going to face... :mri:

That's not a problem at all as most just post the link. it would be ideal if a mod or admin could edit the post to set it as a web tag so viewers don't need to navigate away from the site.


I don't know whether this helps or not but this code from the BBcode Javascript 2 different files
bbcode_box.js



bbcode_box_a.js

@ batman.

Jeeeze mate, what are you doing with that last post of yours? :?:


The damn thing is trying to load some microsoft stuff if one is using IE! Grrrrrrrrrrr! :mrblue:



Code tags mate and SPOILERS! :P

@ spydie and theSteffen - Thanks, I've got it. :mryellow:

small part of the last posted code by batman that made me edit this multiple times wthout succes:



more than this just was not there ...like it was n't enough already :LOL:

Edit:
OOooh and batman ..please try to post properly as Mort already asked you

greetings,
.. your Hairdresser :LOL:

Thanks for the edit Joshua203, i did put in code tags but didn't work for some reason :? :wink:

I can't see how the code is of any use anyway - it's like comparing apples and bananas. :mryellow:

Also - Back on-Topic:

You said back there you only wanted Admin's and Mods to be able to tag existing Url's?

It raises something interesting that I'm trying to get my head around and will have a look at - Not promising, because of the permissions to prevent users from exploiting it - as MG stated - ain't quite that easy.

:(

 

Off Topic

:

Joshua wrote: 

greetings,
.. your Hairdresser

Hehehe! I think that means he's sharpening up the cut-throat razor - because he probably never cut hair in his life! :mryellow:

batman wrote: [View Post]

Thanks for the edit Joshua203, i did put in code tags but didn't work for some reason :? :wink:

Probably the character limit for posting was hit :wink:

EDIT:
@Mort ..hehehe I prefer not to explain the undertone of that joke :wink: :LOL:

mort wrote: [View Post]

@ MG,

I will have a look at the dev version - only if I don't have to go and get it from SVN. Sooooooo, if you have a .zip available somewhere and hit me with a link to download it - That'd be nice. :mricy:

Guys, there is no need to create a zip on your own... please use the GIT repository, since it is always synchronized with SVN (I update them at the same time) and it has some very nice features for quickly interact.

For example from here https://github.com/MightyGorgon/icy_phoenix you can download directly the package as ZIP by clicking on the top right button.

Regarding the permissions system and the possibility for ADMINS / MODS to edit other posts users, it is integrated in the latest dev version: there is a switch in ACP and some code in posting.php.

I just point you to a piece of code:


I decided to move the check on the HTML switch instead of playing with the parsing itself, because it is easy.

If you just want to force that in old Icy Phoenix, you should be able to do that by just inserting something like this (without any needs to integrate ACP switch):



Just after the check of HTML switch:

Oh oh! I sent you a PM before I read this. :oops:

But I still think I would like to destroy the web tags with something colourful if users try to use it. :mryellow:

And thanks for the github link.

mort wrote: [View Post]

I can't see how the code is of any use anyway - it's like comparing apples and bananas. :mryellow:

Also - Back on-Topic:

You said back there you only wanted Admin's and Mods to be able to tag existing Url's?

It raises something interesting that I'm trying to get my head around and will have a look at - Not promising, because of the permissions to prevent users from exploiting it - as MG stated - ain't quite that easy.

:(

 

Off Topic

:

Joshua wrote: 

greetings,
.. your Hairdresser

Hehehe! I think that means he's sharpening up the cut-throat razor - because he probably never cut hair in his life! :mryellow:

Joshua203 wrote: [View Post]

batman wrote: [View Post]

Thanks for the edit Joshua203, i did put in code tags but didn't work for some reason :? :wink:

Probably the character limit for posting was hit :wink:

EDIT:
@Mort ..hehehe I prefer not to explain the undertone of that joke :wink: :LOL:

OK Laurel and Hardy :P Im no coder so wouldn't know an apple from a banana :wink: